Best Reviews logo
Best Reviews may receive compensation for its content through paid collaborations. See how we sustain our work & review products.
When Passwords and Security Questions Fail

When Passwords and Security Questions Fail

By István F.István F. Verified by Adam B.Adam B. Last updated: July 17, 2024 (0)

When passwords and security questions fail

The average person thinks about password security only when they get a notification saying that one of their accounts was compromised or when they forget the current password and need a new one. Passwords and security questions form the first line of defense and have the role of protecting an account from intruders.

The chosen password – if generated by you – may seem solid as a rock, and that’s the way it should be because the more complex it is, the harder it is to crack that account. For self-generated passwords users may have their own secret recipes, which usually include some sort of emotional connection to something or someone.

For hackers who don’t know you personally, a password generated using this secret and unique recipe could be a hard nut to crack, especially if the password is longer than 12 characters and includes numbers and special characters.

But what happens when these unique recipes are so good that even the person who created it can’t get into the account? That’s where security questions come in, which are meant to be a reliable password recovery feature. For this purpose there are some personal things that you will never forget, such as your mother’s maiden name, your first car, or the city where you were born, and the like.

Given the deeply personal nature of these things such questions are supposed to protect the account as the answers are hard to guess for anyone who doesn’t know you, unless of course you foolishly publish such data publicly on various platforms such as Facebook and the like.

When security questions fail

Things take on a different perspective when the ‘hacker’ of your online account(s) is someone that you know well. It could well be your intimate partner, who may know the answers simply because they have got to know the personal information that might come up in a security question.

Technology now allows the installation of ‘spouseware’ (sometimes called ‘stalkerware’) to monitor a partner’s smartphone without their consent. But even those who don’t go this far can still be tempted to access their partner’s online accounts to read messages and keep an eye on their other half’s online activity. Don’t expect these stalkers to ask their victims for their password since they usually hack into the accounts by guessing the password or using the security questions via the reset function.

Forget security questions

A group of researchers analyzed hundreds of millions of secret questions and answers used for account recovery claims at Google. What they found puts into question the entire foundation of security questions, discovering that such functions are “neither secure nor reliable enough to be used as a standalone account recovery mechanism”. The authors of the research – Elie Bursztein, Anti-Abuse Research Lead and Ilan Caron, Software Engineer – were able to use their findings to conclude the reason for security questions’ shortcomings: “That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember, but rarely both.”

It shouldn’t come as a surprise that easy-to-remember answers aren’t secure because they often contain information that is publicly available or within a small set of possible answers.

The more difficult an answer is, the harder it is for it to serve its purpose; it isn’t easy to remember the number of your library card, for example. This means the backup security won’t work and so you are locked out of your account.

While the obvious thing would be to add more security questions, the researchers found that piling them on makes password recovery difficult, even for rightful users who might ordinarily recall the answers in most cases.

What can you do?

As you can see, security questions are nowhere near to serving their purpose unless the answer is a lie. But this would mean that alongside the password you also need to remember the false answer, otherwise you’ll end up locked out of your account. This could act as an additional layer of security to address stalking from your partner (or, indeed, an ex).

Since the average U.S. internet user has more than 100 accounts, it is impossible to remember every password and security question answers unless there are being recycled. That, however, leaves you vulnerable to hackers because if they manage to get access to one account then these same passwords and security question answers can be used to enter other accounts.

60% off RoboForm for Best Reviews readers
RoboForm logo
Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.
/goto/roboform/ Click to show code

To address the problem it is strongly encouraged to use a password manager, as it brings more than just the convenience of storing passwords. In addition to generating a unique and cryptographically secure password for each account such software will also store the security questions and answers associated with it. So those who might stalk you will have to first get past the security measures imposed by the developers of the password manager – and that could keep them busy for a while.


Best password managers of 2024

Editor's choice
RoboForm logo
Editor's rating:
(4.5)
Effective security center
Passkey compatibility
Intuitive and organized interface
Affordable prices
Families
LastPass logo
Editor's rating:
(4)
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses
1Password logo
Editor's rating:
(4.5)
End-to-end encryption
Secure authentication method
Data breach alarms
One-time password support
Security features
Keeper logo
Editor's rating:
(4.5)
Robust security
Wide range of platform support
Affordable
Great customer support
Personal use
NordPass Personal logo
Editor's rating:
(4.5)
Strong security features
Effective password generator
Excellent free version
Attractive price
Password sharing
Dashlane logo
Editor's rating:
(4)
Password changer
Built-in VPN
Flawless data import
Thorough iOS/Android app
Local storage
Enpass logo
Editor's rating:
(4)
Packed with features
Free for desktop users
Offline password manager
End-to-end encryption
User Feedback

 Leave a reply

Your email address will not be published. Required fields are marked *


Best Reviews

Best Reviews may receive compensation for its content through paid collaborations and/or affiliate links. Learn more about how we sustain our work and review products.

©2012-2024 Best Reviews, a clovio brand – All rights reserved
Privacy policy · Cookie policy · Terms of use · Partnerships · Contact us